[Security] Bump pymdown-extensions from 9.11 to 10.0 (!407) · Merge requests · HIFIS / Overall / HIFIS Technical Documentation

HIFIS Bot requested to merge dependabot-pip-pymdown-extensions-10.0 into master May 16, 2023

Bumps pymdown-extensions from 9.11 to 10.0. This update includes a security fix.

Vulnerabilities fixed

Any file can be included with the pymdowm-snippets extension

Summary

Arbitrary file read when using include file syntax.

Details

By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: --8<-- "../../../../etc/passwd".

Within the Snippets extension, there exists a base_path option but the implementation is vulnerable to Directory Traversal. The vulnerable section exists in get_snippet_path(self, path) lines 155 to 174 in snippets.py.
base = "docs"
path = "/etc/passwd"
filename = os.path.join(base,path) # Filename is now /etc/passwd
PoC
</tr></table> 

... (truncated)

Patched versions: 10.0 Affected versions: >= 1.5, < 10.0

Release notes

Sourced from pymdown-extensions's releases.

10.0

Break: Snippets: snippets will restrict snippets to ensure they are under the base_path preventing snippets relative to the base_path but not explicitly under it. restrict_base_path can be set to False for legacy behavior.

Commits

5e75073 Update JS doc deps
b7bb487 Merge pull request from GHSA-jh85-wwv9-24hv
See full diff in compare view

[Security] Bump pymdown-extensions from 9.11 to 10.0

Summary

Details

PoC

10.0

Merge request reports